CN108055122B - Verifiable memory leak prevention dynamic searchable encryption method and cloud server - Google Patents
Verifiable memory leak prevention dynamic searchable encryption method and cloud server Download PDFInfo
- Publication number
- CN108055122B CN108055122B CN201711146556.1A CN201711146556A CN108055122B CN 108055122 B CN108055122 B CN 108055122B CN 201711146556 A CN201711146556 A CN 201711146556A CN 108055122 B CN108055122 B CN 108055122B
- Authority
- CN
- China
- Prior art keywords
- data owner
- key
- vht
- node
- search
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Storage Device Security (AREA)
Abstract
The invention belongs to the technical field of cloud computing, and discloses a verifiable dynamic searchable encryption method for preventing memory leakage and a cloud server, which comprise the following steps: the data owner is used for establishing an index and an encrypted file set, outsourcing the index and the encrypted file set to the cloud server, submitting the key word trapdoor to search related files to the cloud server, and verifying returned search results; the data owner can also update the encrypted file set; and the cloud server is used for storing the encrypted file set and the index, searching on the index according to the trapdoor, returning corresponding results and evidence, and updating the corresponding evidence according to the updating operation of the data owner. The invention provides a first dynamic symmetric searchable encryption scheme which simultaneously realizes memory information leakage prevention and verification, and ensures the security of a secret key and the correctness and integrity of a search result; the problem of unstable generation of the physical unclonable function key is solved, and a more reliable key generation mechanism is established.
Description
Technical Field
The invention belongs to the technical field of cloud computing, and particularly relates to a verifiable dynamic searchable encryption method for preventing memory leakage and a cloud server.
Background
In the information age, more and more resources are gathered on the internet. In order to efficiently manage and utilize internet resources, cloud computing appears as a scalable and high-throughput computing paradigm in the line of sight of people. Cloud computing can provide powerful data storage capabilities, and more individuals and companies are willing to outsource data to cloud servers. The cloud outsourced storage service can reduce the huge local data management overhead of the data owner. However, outsourcing of data also inevitably raises some data security and privacy concerns. Therefore, data owners usually outsource encrypted data, but this raises the problem of how to perform keyword retrieval on the ciphertext. To address this dilemma, prior art Searchable Encryption (SE) allows clients to outsource filesets to cloud servers in the form of ciphertext while still maintaining the ability for keyword retrieval. The searchable encryption may be classified into a Symmetric Searchable Encryption (SSE) and a public key encryption with keyword search (PEKS) according to an encryption algorithm used. Compared to SSE, prior art PEKS can implement richer query functionality, but are less efficient at processing large amounts of data than SSE. Due to the large amount of data processed in a cloud environment, SSEs are better suited for building cloud computing applications than PEKS. The security of SSE includes two aspects: first, indexing and searching trapdoors may reveal some sensitive information that should not be exposed to the cloud server; secondly, a malicious server may return incorrect search results for reasons of interest. A secure SSE scheme should have a secure index and trapdoor structure, and in the face of a malicious server, the client has the ability to verify the correctness and integrity of the search results. Many researches on the construction of a secure SSE scheme exist, but at present, some fast and effective physical attacks, such as side channel attacks, exist, and secret information stored in a nonvolatile memory by a user can be easily acquired, so that indexes and trapdoors in most existing SSE schemes are no longer secure. The only dynamic SSE scheme for preventing memory Leakage in the prior art is proposed by Dai [ Dai S, Li H, Zhang F. memory leak-resilient semiconductor Encryption [ J ]. Future Generation Computer Systems,2016,62:76-84], and the scheme resists memory attacks by replacing long-term information stored in a nonvolatile memory with Physically Unclonable Functions (PUFs); however, this solution assumes that the cloud server is honest and curious, that is, the case of a malicious server is not considered, and the client does not have the capability of verifying the search result.
In summary, the problems of the prior art are as follows: the existing symmetric searchable encryption method cannot resist memory attack and malicious servers at the same time, and is specifically represented in the following two aspects: firstly, existing verifiable symmetric searchable encryption methods for malicious servers simply assume that keys are stored in a nonvolatile memory, and once an attacker acquires the keys in the memory by using a side channel attack and other methods, the verifiable symmetric searchable encryption methods are invalid in verification; secondly, the existing symmetric searchable encryption method for resisting the memory attack cannot verify the search result.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides a verifiable dynamic searchable encryption method for preventing memory leakage and a cloud server.
The invention is realized in such a way, the verifiable memory leak prevention dynamic searchable encryption method constructs sharing by combining a physical unclonable function and a secret sharing technology, recovers a secret key by sharing when the secret key is used, and does not store any secret information in a nonvolatile memory, thereby achieving the purpose of resisting memory attack; a binary tree VHT combining the characteristics of a Merkle hash tree and a binary search tree is used for constructing a safe index, and the update of a file set is the update of nodes on the VHT; performing MAC calculation on the hash value and the counter of the VHT root node, returning a search path and an MAC value on the index to a data owner as evidence, recalculating the VHT root node value by the data owner through the search path, performing MAC calculation on the VHT root node value and the locally stored counter, comparing the calculated value with the returned MAC, and if the calculated value is the same as the MAC value, passing the verification, otherwise failing the verification; the cloud server needs to sign the locally stored counter to ensure the validity of the counter.
Wherein each node N on the VHT is a tuple (nkey, v, c)l,cr,hN) Where nkey represents the key of node N, v represents the value of node N, clAnd crRespectively representing the left and right children of node N, hNA hash value representing node N, defined asThe keys of the node N are larger than the keys of all the nodes on the left subtree and smaller than the keys of all the nodes on the right subtree.
Further, the verifiable memory leak prevention dynamic searchable encryption method uses an anti-collision hash functionAndPCPA-secure symmetric encryption algorithm E1= (Enc1, Dec1) and E2(Enc2, Dec2), wherein Pseudo-random permutationMessage authentication codeAnd a secure signature scheme SIGN, such as BLS short signature, where d represents the number of keys contained in the dictionary.
Further, the verifiable memory leak prevention dynamic searchable encryption method comprises the following six algorithms:
KeyGen(1λ) Inputting a security variable lambda to generate a secret key K; the data owner randomly selects t (n)1,d1,m1) PUF, an n1Bit string s and a secret a0;
Given text setSet of keywordsThe public parameter PP and the secret key K, the data owner runs the probability algorithm to generate the encrypted file setSearch indexAnd a client state σ;
TrapGen (w, K, PP) given a query key w ∈ Δ, Δ is a dictionary containing all possible keys, and the data owner runs the algorithm to generate a trapdoor of w;
Indexwhen receiving the trapdoor TKwWhen the cloud server is used, matching the trapdoors on the indexes;
verifying the validity of the search result by a data owner running a verification algorithm; when the evidence tau passes the verification, the data owner accepts the search result R (w), otherwise, the search result R (w) is rejected;
update (op, K, PP): op ═ { upd, c, W '} represents an Update operation, where upd represents an Update type, c represents an updated file, and W' represents an updated key set; according to the op, the data owner performs different update operations.
and (3) calculating:
ri=PUFi(s),(zi,hdi)←FE.Gen(ri),i∈[1,t];
wherein FE ═ is (fe.gen, fe.rep) is one (n)1,d1,m1) BlurringAn extractor; the data owner selects a value greater than a at the same time0And t, constructing a prime number p in a finite fieldThe k-1 degree polynomial f (x):
f(x)=a0+a1x+…+ak-2xk-2+ak-1xk-1modp;
wherein a is1,…,ak-1Is an integer uniformly and randomly selected from [0, p); the data owner calculates the share:
output common parameter PP ═ f1,…,ft,hd1,…,hdtS, p and key K ═ PUF1,…,PUFt}。
Further, theThe data owner randomly selects K physically unclonable functions from K.Representing a randomly selected physically unclonable function, where ti∈[1,t](ii) a For all i e [1, k ∈ ]]And calculating:
in connection with corresponding sharingRecovering the polynomial f (x) and calculating a0F (0). Structure indexFor each keywordj∈[1,m]Data owner establishmentAndwhereinRepresenting a set of filesContains a keyword wjThe set of identifiers of (a) is,represents a keyword wjThe lexical order of (c); will be provided withConverted into a character string V with length of one bitwL is more than n; for i e [1, l ∈ ]]And if and only ifWhen the temperature of the water is higher than the set temperature,at the same time, the data owner calculates:
establishing a verifiable hash table VHT for j e [1, m]Each node on VHTIs a tupleWhereinIs a key of the series of keys,is a value, clAnd crRepresenting nodesLeft and right child nodes; the hash value of a node is defined as:
by using hrootRepresenting a hash value of the VHT root node. The data owner sets the counter T to 1 and calculates:
setting ciOwned and DBiThe same identifier is used for the identification of the same,the data owner sends T and the user tag ID to the cloud server, which computes a signature δ ═ SIGN (T | ID) and returns to the data owner. Finally, the algorithm outputs And σ ═ T, δ. Data owner outsourcingAndand (5) giving the cloud server, and locally storing sigma.
Further, in TrapGen (w, K, PP), the data owner needs to recover a0And calculating:
Further, theIn the method, the cloud server is in the indexUpper search key equals TKwIf such a node N ' is found, r (w) ← (N ', N '); otherwise, the key is set to be larger than TKwMinimum of the nodes of (1) is NbigWith a bond less than TKwMaximum of the nodes of (1) is Nsmall,R(w)←(Nbig,Nsmall) (ii) a The search path is marked as evidence tau and returned to the data owner r (w) and tau.
Further, in Verify (r (w), τ, K, PP, σ), the data owner recovers a from the key K0And checking:
if the two equations are true, the data owner receives R (w) and continues the next verification, otherwise, outputs T;
if the accepted R (w) is the same node composition, the data owner calculates:
and will VwSending the data to a cloud server; cloud Server according to VwReturning the corresponding ciphertext setFor each ciphertext fileData owner reviewWherein K4=H1(a0‖id(DBi) II 2); the equality holds, the data owner outputsOtherwise, outputting T;
Further, the Update (op, K, PP) performs, according to op, the data owner:
modifying: op ═ { modify, ciW' }, the owner of the data wants to be ciModified to ci′For each keyword wje.W', the data owner generates the corresponding trapdoorAnd obtains a search result R (w)j);R(wj) Pass authenticationData owner from R (w)j) Middle recoveryAnd is provided withEncryptionIs composed ofTo replaceEach keyword wjAfter all the nodes are updated, setting T ← T +1 and calculating a new root node hash value hroot′Andsending (c)i′,hroot′Beta', T, ID) andsending the data to a cloud server; cloud service setting hroot←hroot′,β←β′,ci←ci′By usingUpdating VHT unionCalculating δ' ═ SIGN (T | ID); the cloud server sends δ ' to the data owner, and if δ ' is valid, the data owner sets δ ← δ ';
and (3) deleting: op ═ { delete, ciW' }, mixing ciModified to the character delete and for each wj∈W′,
Adding: op ═ { add, c ═ cn+1W' }, the data owner adds a new file cn+1For each new keyword wje.W', the data owner generates the corresponding trapdoorObtaining search result R (w)j) And verifyData owner creates a child node on the last node of a search pathEach keyword wjAfter all the nodes are updated, setting T ← T +1 and calculating a new root node hash value hroot′Andsending (c)n+1,hroot′Beta', T, ID) andsending the data to a cloud server; cloud service setting hroot←hroot′β ← β', insertion cn+1By usingUpdate VHT and calculate δ' ═ SIGN (T | ID); the cloud server sends δ ' to the data owner, which sets δ ← δ ' if δ ' is valid.
The invention further aims to provide a cloud server applying the verifiable memory leak prevention dynamic searchable encryption method.
The invention is based on a physical unclonable function and a verifiable hash table VHT, and is the first symmetrical searchable encryption scheme which can simultaneously realize the resistance to memory attack and the verifiability of search results. In order to realize resistance to memory attacks, the invention does not store any secret information in the nonvolatile memory, but utilizes the output of the physical unclonable function to generate the key in real time. Since the physical unclonable function can only be realized by a physical system and is unclonable, the memory attacker can not obtain any secret information. Meanwhile, the physical unclonable function is combined with the secret sharing technology, so that the problem of instability of the key of the physical unclonable function is solved, and even if some physical unclonable functions are damaged, the key can be recovered through the rest physical unclonable functions; in order to realize that the search result can be verified, the invention utilizes the verifiable hash table to construct a safe index. If the server maliciously tampers with the search result, the integrity of the verifiable hash table is destroyed, so that the root node hash value calculated by the search path cannot be verified. Meanwhile, the hash value of the root node is bound with a counter, so that replay attack is prevented.
Compared with Dai's searchable encryption scheme for preventing memory leak [ DaiS, LiH, Zhang F. memory leak-reselientSearcharchablemesymmetricEncryption [ J ]. future Generation computer Systems,2016,62:76-84], the present invention increases verifiability of search results, improves security, and also reduces space complexity (as shown in Table 1). In table 1, d represents the number of keywords included in the dictionary, and m represents the number of keywords included in the outsourced document set.
TABLE 1 protocol comparison
Drawings
Fig. 1 is a flowchart of a verifiable memory leak prevention dynamic searchable encryption method according to an embodiment of the present invention.
Fig. 2 is a lookup representation provided by an embodiment of the invention.
FIG. 3 is a diagram illustrating index setup times (key number 4000) for the same number of keys according to an embodiment of the present invention.
Fig. 4 is a schematic diagram of index setup time (file number 4000) when the number of files is the same according to an embodiment of the present invention.
Fig. 5 is a schematic diagram of search times (keyword number 4000) with the same number of keywords according to an embodiment of the present invention.
Fig. 6 is a schematic diagram of the search time (file number 4000) when the number of files is the same according to the embodiment of the present invention.
Fig. 7 is a schematic diagram of verification time when the number of files provided by the embodiment of the invention is 4000.
Fig. 8 is a schematic diagram of adding operation time (file number 4000) with the same number of files according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail with reference to the following embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Symmetric Searchable Encryption (SSE) allows a data owner to outsource own encrypted data to a cloud server and can perform keyword retrieval on the outsourced encrypted data. SSE has become an important technology in the field of cloud computing.
The following detailed description of the principles of the invention is provided in connection with the accompanying drawings.
As shown in fig. 1, the verifiable memory leak prevention dynamic searchable encryption method provided in the embodiment of the present invention includes the following steps:
step one, setting: a data owner scans an outsourced file set, establishes a safe index, encrypts the file set and outsources the index and the encrypted file set to a cloud server;
step two, searching: the data owner generates a trapdoor of the keyword to be retrieved and sends the trapdoor to the cloud server; the cloud server retrieves the index by using the trapdoor and returns the search result and evidence to the data owner. The data owner verifies the validity of the evidence, if the evidence passes the verification, the search result is accepted, otherwise, the search result is rejected;
step three, updating: and the data owner updates the corresponding keywords on the encrypted file set and the index and updates the evidence stored by the cloud server.
The application of the principles of the present invention will now be described in further detail with reference to the accompanying drawings.
1. According to the method, the long-term information is replaced by the physical unclonable function, the output of each physical unclonable function is used as one input in the secret sharing technology to construct corresponding sharing, and the secret information is not required to be stored in the nonvolatile memory. Once one physically unclonable function is corrupted, the remaining physically unclonable functions may still be used to recover the secret information used. The verifiable hash table VHT is used to build a secure index. The hash value of the VHT root node may be used to validate search results as evidence. On VHT, each node corresponds to a key. Because VHTs possess the properties of binary search trees, searching on VHTs is efficient, and updates to keys are updates to corresponding nodes on VHTs. To thwart replay attacks, VHT root node hash values are bound to counters and the server needs to sign the counters to ensure their validity. The integrity of the ciphertext data may be resolved by the MAC function.
1.1 the symbolic meanings used in the scheme are summarized in Table 2. To avoid loss of generality, it is assumed that files in DB have the same length, i.e., for all i ∈ [1, n ∈ [ ]],DBi∈{0,1}q。
TABLE 2 symbol definitions
1.2 concrete Structure
Andis a hash function of collision avoidance. E1= (Enc1, Dec1) and E2= (Enc2, Dec2) is a PCPA-secure symmetric encryption algorithm, in whichIn addition, pseudo-random permutation is usedMessage authentication codeAnd a secure signature scheme SIGN, such as BLS short signature, where d represents the number of keys contained in the dictionary. The present invention consists of 6 algorithms (KeyGen, Enc, TrapGen, Search, Verify, Update) as follows:
KeyGen(1λ)
λ is a safety variable. The data owner runs this algorithm to generate the key K. First, the data owner randomly selects t (n)1,d1,m1) PUF, an n1Bit string s and a secret a0. Each physical unclonable function is shown below:
and (3) calculating:
ri=PUFi(s),(zi,hdi)←FE.Gen(ri),i∈[1,t];
wherein FE ═ is (fe.gen, fe.rep) is one (n)1,d1,m1) A blur extractor. Next, the data owner selects a value greater than a at the same time0And t, constructing a prime number p in a finite fieldThe k-1 degree polynomial f (x):
f(x)=a0+a1x+…+ak-2xk-2+ak-1xk-1modp;
wherein a is1,…,ak-1Is an integer uniformly and randomly selected from [0, p). Finally, the data owner calculates the share:
output common parameter PP ═ f1,…,ft,hd1,…,hdtS, p and key K ═ PUF1,…,PUFt}。
Given text setSet of keywordsThe public parameter PP and the secret key K, the data owner runs the probability algorithm to generate the encrypted file setSearch indexAnd a client state sigma.
The data owner randomly selects K physically unclonable functions from K.Representing a randomly selected physically unclonable function, where ti∈[1,t]. For all i e [1, k ∈ ]]And calculating:
in connection with corresponding sharingCan easily recover the polynomial f (x) and calculate a0F (0). Structure indexFor each keywordj∈[1,m]The data owner first establishesAndthen will beConverted into a character string V with length of one bitwAnd l is more than n. For i e [1, l ∈ ]]And if and only ifWhen the temperature of the water is higher than the set temperature,at the same time, the data owner calculates:
a verifiable hash table VHT is created which is also a look-up table. For j e [1, m],VHTEach node ofIs a tupleWhereinIs a key of the series of keys,is a value, clAnd crRepresenting nodesLeft and right child nodes. The hash value of a node is defined as:
an example of a look-up table is given in figure 2. Each node in the lookup table maps a key. By using hrootRepresenting a hash value of the VHT root node. The data owner sets T to 1 and calculates:
the data owner sends T and ID to the cloud server, which computes a signature δ ═ SIGN (T | ID) and returns to the data owner. Finally, the algorithm outputsAnd σ ═ T, δ. Data owner outsourcingAndand (5) giving the cloud server, and locally storing sigma.
TrapGen(w,K,PP)
Given a query key w ∈ Δ, the data owner runs the algorithm to generate a trapdoor of w. First, the data owner needs to recover a0And calculating:
With an indexWhen receiving the trapdoor TKwThe cloud server runs this algorithm to match trapdoors on the index. TK on VHTwWill be returned to the data owner as search result r (w) together with the search proof τ. The search process is summarized in algorithm 1. For simplicity, the keys of the nodes are denoted by nkey, withRepresenting the VHT root node.
In Algorithm 1, L contains a search path from the root node to the closed node, the child nodes of the closed node, and the sibling nodes of the nodes on the search path.
Verify(R(w),τ,K,PP,σ)
Since a malicious server may return erroneous results, the data owner runs a validation algorithm to validate the search results.
When receiving the search result R (w) and the evidence tau, the data owner recalculates the hash value of the root node according to the search path, and the hash value is recorded as hroot′. At the same time, the data owner recovers a from the key K0And checking:
wherein. If these two equations hold, the data owner accepts R (w) and continues with the next verification, otherwise outputs #.
If the accepted R (w) is composed of two identical nodes, the data owner calculates:
and will VwAnd sending the data to the cloud server. Cloud Server according to VwReturning the corresponding ciphertext setFor each ciphertext fileData owner reviewWherein K4=H1(a0‖id(DBi) | 2). If the equation holds, the data owner outputsOtherwise, outputting ^ t.
Update(op,K,PP)
And op { upd, c, W '} represents an update operation, wherein upd represents an update type, c represents an updated file, and W' represents an updated key set. According to op, the data owner performs the following algorithmic operations:
modifying: op ═ { modify, ciW' }, assuming that the data owner wants ciModified to ci′. For each keyword wjE.g., W', the data owner first generates a responseTrapdoorAnd obtains a search result R (w)j)。R(wj) Need to pass authenticationThen the data owner gets from R (w)j) Middle recoveryAnd is provided withEncryptionIs composed ofTo replaceEach keyword wjAfter all the nodes are updated, setting T ← T +1 and calculating a new root node hash value hroot′Andsending (c)i′,hroot′Beta', T, ID) andto the cloud server. Finally, the cloud service sets hroot←hroot′,β←β′,ci←ci′By usingVHT is updated and δ' SIGN (T | ID) is calculated. The cloud server sends δ ' to the data owner, which sets δ ← δ ' if δ ' is valid.
And (3) deleting: op ═ { delete, ciW' }. C is toiOperation of deletionCan be seen as a special modification operation, i.e. ciModified to the character delete and for each wjIs e.g. W', is
Adding: op ═ { add, c ═ cn+1W' }, suppose that the data owner adds a new file cn+1. For each keyword wjE.g. W', ifThe add operation can be considered an arrangementThe special modification operation of (1). Otherwise, the data owner first generates the corresponding trapdoorObtaining search result R (w)j) And verifyNext, the data owner creates a child node on the last node of the search pathEach keyword wjAfter all the nodes are updated, setting T ← T +1 and calculating a new root node hash value hroot′Andsending (c)n+1,hroot′Beta', T, ID) andto the cloud server. Finally, the cloud service sets hroot←hroot′β ← β', insertion cn+1By usingVHT is updated and δ' SIGN (T | ID) is calculated. The cloud server sends δ ' to the data owner, which sets δ ← δ ' if δ ' is valid.
The effect of the present invention will be described in detail below with reference to the efficiency analysis.
1. Kurosawa 'S protocol [ Kurosawa K, Ohtakiy. how to Update Document synergy Encryption [ C ]// International Conference on Encryption and Network security. Springer, Cham,2013:309-328 ], Dai' S protocol [ Dai S, Li H, Zhang F.memory leak-reusable synergy Encryption [ J ]. Future ratio Computer Systems,2016,62:76-84] were compared with the present invention. Firstly, the invention can simultaneously realize memory leakage prevention and verifiable search results. Second, the present invention is efficient because it does not involve exponential operations and symmetric fully homomorphic encryption in the cluster, and the computational overhead of the client is independent of the fileset size. Finally, in the Dai solution, the client needs to store a table of o (d) size locally to complete the search, d representing the number of all possible keys contained in the dictionary. But in the present invention the client only needs to keep one counter and one signature locally. Compared with the scheme of Dai, the space complexity of the invention is smaller. Furthermore, even if some of the physically unclonable functions are corrupted, the present invention can still recover the key, whereas the Dai solution does not.
Table 3 shows a comparison of the three protocols. In the table, n is indicated in the file setThe number of files in (1), m, in the set of keywordsWhere U represents the number of files returned from the search, | W | represents the number of updated keys, | k represents the number of physically unclonable functions selected to reconstruct the secret information, U represents an operation on the physically unclonable functions and the fuzzy extractor, I represents an integer comparison operation, P represents a symmetric fully homomorphic encryption operation, D tableA group index operation is shown, Z represents a hash operation, and a represents a MAC function operation.
Table 3 comparison of the three protocols
Scheme(s) | Kurosawa protocol | Dai protocol | Aspects of the invention |
Memory leak resistance | Do not support | Support for | Support for |
Verifiability | Support for | Do not support | Support for |
Search computation (Server) | (mn-u)(Z+A) | 1P | logmI |
Verification calculation (client) | (u+n)(Z+A) | _ | logmA+(u+1)M+1D+kU |
Adding calculated amounts (clients)End) | (m+1)(Z+A) | |W|(2U+P) | (|W|+1)(logmA+M)+|W|D+kU |
1.1 efficiency analysis
The provided dynamic SSE scheme capable of preventing memory leakage is subjected to experimental simulation, wherein the experimental environment is a Windows system, a CPU (central processing unit) of 2.60GHz and an 8G running memory.
Fig. 3 through 8 illustrate the indexing, searching, validation and update time comparisons with the schema of Dai. In this time comparison simulation experiment, the number of keywords of the dictionary is set to 40000, and k is 4 and t is 5 in the invention. Fig. 3 and 4 illustrate that the index creation time is linearly related to the number m of keywords and not to the number n of file sets in the invention. This is a one-time overhead, although the index set-up time overhead is large. Fig. 5 and 6 illustrate the preferred arrangement of the present invention over Dai when the number of files is appropriate during the search phase. In fact, the search time of the present invention is linearly related to logm. Even when m is 8000, the search time of the present invention is only 11ms, which is sufficiently efficient. FIG. 7 shows that the verification of the present invention is very fast and that verification time increases slowly as the number of keys increases. The overhead of the client is only increased a little while the security is improved. Fig. 8 shows a time comparison of the adding operation, and the time overhead of the adding operation of the invention is in milliseconds, which is enough to be applied in practical application.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.
Claims (7)
1. A verifiable memory leak prevention dynamic searchable encryption method is characterized in that physical unclonable functions are used for replacing long-term information stored in a nonvolatile memory, and the output of each physical unclonable function is used as one input of a polynomial in a secret sharing technology to construct corresponding sharing; verifying that a hash table VHT is used for constructing a safe index, wherein a hash value of a VHT root node can be used as an evidence to verify the correctness and integrity of a search result, and each node corresponds to a keyword on the VHT; the updating of the key words is the updating of the corresponding nodes on the VHT; binding the hash value of the VHT root node with a counter, and signing the counter by the cloud server;
the verifiable memory leak prevention dynamic searchable encryption method uses an anti-collision hash functionAndPCPA-secure symmetric encryption algorithm E1= (Enc1, Dec1) and E2(Enc2, Dec2), wherein Pseudo-random permutationMessage authentication codeAnd a secure signature scheme SIGN-BLS short signature, wherein d represents the number of keys contained in the dictionary;
the verifiable memory leak prevention dynamic searchable encryption method further comprises the following six algorithms:
KeyGen(1λ): inputting a security parameter lambda, and outputting a secret key K stored by a data owner and a public parameter PP;
inputting a set of documentsSet of keywordsSecret key K and public parameter PP, outputting a secure indexEncrypted file collectionAnd a data owner status σ;andoutsourcing to a cloud server;
TrapGen (w, K, PP): inputting search key word w, key K and public parameter PP, outputting trap TKw;
When receiving the trapdoor TKwCloud server is indexingThe algorithm is run, and corresponding search results R (w) and search evidence tau are returned;
verify (R (w), τ, K, PP, σ): if the search result R (w) passes the verification of the evidence tau, accepting R (w) and outputting a corresponding ciphertext setOtherwise, outputting error T;
2. The verifiable memory leak resistant dynamically searchable encryption method according to claim 1, wherein said KeyGen (1)λ) In (2), the data owner first randomly selects t physically unclonable functions (n)1,d1,m1) PUF, one (n)1,d1,m1) Fuzzy extractor FE and a secret information a0(ii) a The data owner then constructs a secret a0Using the polynomial f (x), the physical unclonable function (n)1,d1,m1) -the PUF and the fuzzy extractor FE calculate the shares in the secret sharing technique; the key K is the selected physically unclonable function and the calculated share is the common parameter.
3. The verifiable memory leak resistant dynamically searchable encryption method of claim 1, wherein saidIn the method, the data owner firstly recovers the secret information a through the secret key K and the public parameter0The key of the cryptographic tool used in the algorithm is passed through a0Constructing; the data owner scans the outsourced file sets, builds a set of keywords and a corresponding set of file identifiers, and then builds an index using a verifiable hash table VHTCalculating a root node hash value of the VHT, and performing MAC calculation on the hash value and a counter; the VHT is a binary tree structure and combines the characteristics of a Merkle hash tree and a binary search tree; each node N on the VHT is a tuple (nkey, v, c)l,cr,hN) Where nkey represents the key of node N, v represents the value of node N, clAnd crRespectively representing the left and right children of node N, hNA hash value representing node N, defined asThe keys of the node N are larger than the keys of all the nodes on the left subtree and smaller than the keys of all the nodes on the right subtree.
4. The verifiable memory leak resistant dynamically searchable encryption method of claim 1, wherein the pseudo-random permutation of the lexicographic order of the key to be searched in TrapGen (w, K, PP) is the search trapdoor for that key.
6. The verifiable memory leak-proof dynamically searchable encryption method according to claim 1, wherein in Verify (r (w), τ, K, PP, σ), the data owner recalculates the hash value of the root node of VHT through a search path, and performs MAC calculation on the calculated hash value and a locally stored counter; if the calculated MAC value is consistent with the MAC returned by the cloud server, the verification is passed, otherwise, the verification is not passed.
7. The verifiable memory leak-proof dynamic searchable encryption method according to claim 1, wherein in the Update (op, K, PP), the Update operation of an existing key is to modify a corresponding node value on the VHT, and the Update operation of a newly added key is to add a new node; all update operations require incrementing the counter by one and recalculating the root node hash value and MAC value of the VHT.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711146556.1A CN108055122B (en) | 2017-11-17 | 2017-11-17 | Verifiable memory leak prevention dynamic searchable encryption method and cloud server |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711146556.1A CN108055122B (en) | 2017-11-17 | 2017-11-17 | Verifiable memory leak prevention dynamic searchable encryption method and cloud server |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108055122A CN108055122A (en) | 2018-05-18 |
CN108055122B true CN108055122B (en) | 2021-03-23 |
Family
ID=62120291
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711146556.1A Active CN108055122B (en) | 2017-11-17 | 2017-11-17 | Verifiable memory leak prevention dynamic searchable encryption method and cloud server |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108055122B (en) |
Families Citing this family (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109088719B (en) * | 2018-08-14 | 2019-06-04 | 重庆第二师范学院 | Outsourced database multi-key word can verify that cipher text searching method, data processing system |
CN109492410B (en) * | 2018-10-09 | 2020-09-01 | 华南农业大学 | Data searchable encryption and keyword search method, system, terminal and equipment |
CN110334526B (en) * | 2019-05-30 | 2023-01-03 | 西安电子科技大学 | Forward security searchable encryption storage system and method supporting verification |
CN110392038B (en) * | 2019-06-03 | 2021-07-13 | 西安电子科技大学 | Multi-key searchable encryption method capable of being verified in multi-user scene |
CN110457915B (en) * | 2019-07-17 | 2020-12-29 | 华中科技大学 | Efficient searchable symmetric encryption method and system with forward and backward security |
CN110851481B (en) * | 2019-11-08 | 2022-06-28 | 青岛大学 | Searchable encryption method, device and equipment and readable storage medium |
CN111614470A (en) * | 2020-05-27 | 2020-09-01 | 贵州大学 | Verifiable multi-keyword search method based on improved Merkle-Tree authentication method |
CN111917759B (en) * | 2020-07-27 | 2021-02-19 | 八维通科技有限公司 | Data security interaction method for gas station |
CN112416948B (en) * | 2020-12-15 | 2022-11-01 | 暨南大学 | Verifiable gene data outsourcing query method and system |
CN113282543B (en) * | 2021-05-20 | 2022-07-05 | 支付宝(杭州)信息技术有限公司 | Verifiable searchable encryption method, device and equipment with forward security |
CN113282542B (en) * | 2021-05-20 | 2022-07-12 | 支付宝(杭州)信息技术有限公司 | Verifiable searchable encryption method, device and equipment with forward security |
CN114584286B (en) * | 2022-05-06 | 2022-08-05 | 武汉大学 | Dynamic ciphertext retrieval and verification method and system supporting omnidirectional operation |
CN114900318B (en) * | 2022-06-02 | 2024-04-19 | 浙江工商大学 | One-round communication searchable encryption method based on key negotiation protocol and verifiable |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090217045A1 (en) * | 2005-11-29 | 2009-08-27 | Koninklijke Philps Electronics, N.V. | Physical secret sharing and proofs of vicinity using pufs |
CN103763362B (en) * | 2014-01-13 | 2016-12-21 | 西安电子科技大学 | A kind of safe distributed data de-duplication method |
US9292692B2 (en) * | 2014-05-05 | 2016-03-22 | Sypris Electronics, Llc | System and device for verifying the integrity of a system from its subcomponents |
-
2017
- 2017-11-17 CN CN201711146556.1A patent/CN108055122B/en active Active
Also Published As
Publication number | Publication date |
---|---|
CN108055122A (en) | 2018-05-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108055122B (en) | Verifiable memory leak prevention dynamic searchable encryption method and cloud server | |
Yang et al. | Lightweight and privacy-preserving delegatable proofs of storage with data dynamics in cloud storage | |
CN111639361B (en) | Block chain key management method, multi-person common signature method and electronic device | |
Pasupuleti et al. | An efficient and secure privacy-preserving approach for outsourced data of resource constrained mobile devices in cloud computing | |
Sun et al. | Catch you if you lie to me: Efficient verifiable conjunctive keyword search over large dynamic encrypted cloud data | |
Bellare et al. | Interactive message-locked encryption and secure deduplication | |
Zhang et al. | Provable multiple replication data possession with full dynamics for secure cloud storage | |
Chase et al. | Substring-searchable symmetric encryption | |
Schröder et al. | Verifiable data streaming | |
CN106803784A (en) | The multi-user based on lattice is fuzzy in secure multimedia cloud storage can search for encryption method | |
Zhu et al. | A novel verifiable and dynamic fuzzy keyword search scheme over encrypted data in cloud computing | |
Zhang et al. | Improved secure fuzzy auditing protocol for cloud data storage | |
Li et al. | Integrity-verifiable conjunctive keyword searchable encryption in cloud storage | |
CN109088719B (en) | Outsourced database multi-key word can verify that cipher text searching method, data processing system | |
Wang et al. | Efficient incremental authentication for the updated data in fog computing | |
Leontiadis et al. | Storage efficient substring searchable symmetric encryption | |
Wei et al. | Forward-secure identity-based signature with efficient revocation | |
Sengupta et al. | Secure cloud storage with data dynamics using secure network coding techniques | |
Wang et al. | A Verifiable Fuzzy Keyword Search Scheme Over Encrypted Data. | |
Luo et al. | MHB* T based dynamic data integrity auditing in cloud storage | |
CN113434739A (en) | Forward-safe multi-user dynamic symmetric encryption retrieval method in cloud environment | |
Sengupta et al. | Publicly verifiable secure cloud storage for dynamic data using secure network coding | |
Zhou et al. | Integrity preserving multi-keyword searchable encryption for cloud computing | |
Jiang et al. | Puncturable signature: A generic construction and instantiations | |
Lin et al. | F2p-abs: A fast and secure attribute-based signature for mobile platforms |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |